google.cloud
google.cloud copied to clipboard
Published
20 hours ago •
ansible-collections
ansible-collections
gcp_compute_instance doesn't add service account to the instance
SUMMARY
gcp_compute_instance doesn't apply changes when adding a service account and scopes to and existing (stopped) vm instance
ISSUE TYPE
- Bug Report
COMPONENT NAME
gcp_compute_instance
ANSIBLE VERSION
ansible 2.9.7
config file = None
ansible python module location = /usr/local/lib/python3.7/site-packages/ansible
executable location = /usr/local/bin/ansible
python version = 3.7.4 (default, Oct 12 2019, 18:55:28) [Clang 11.0.0 (clang-1100.0.33.8)]
CONFIGURATION
ansible-config dump --only-changed -v
No config file found; using defaults
OS / ENVIRONMENT
uname -a
Darwin 18.7.0 Darwin Kernel Version 18.7.0: Tue Aug 20 16:57:14 PDT 2019; root:xnu-4903.271.2~2/RELEASE_X86_64 x86_64
STEPS TO REPRODUCE
- name: Update instance
gcp_compute_instance:
name: "my-test-instance"
zone: us-central1-a
project: my-test-project
auth_kind: serviceaccount
deletion_protection: no
service_account_file: "/Users/<user>/Downloads/credentials.json"
service_accounts:
- email: [email protected]
scopes:
- "https://www.googleapis.com/auth/devstorage.read_only"
- "https://www.googleapis.com/auth/logging.write"
- "https://www.googleapis.com/auth/monitoring.write"
- "https://www.googleapis.com/auth/service.management.readonly"
- "https://www.googleapis.com/auth/servicecontrol"
- "https://www.googleapis.com/auth/trace.append"
status: TERMINATED
state: present
EXPECTED RESULTS
ok: [localhost] => (item=my-test-instance) => {
"ansible_loop_var": "item",
"canIpForward": false,
"changed": false,
"cpuPlatform": "Unknown CPU Platform",
"creationTimestamp": "2020-04-21T06:11:57.224-07:00",
"deletionProtection": false,
"description": "",
"disks": [
{
"autoDelete": true,
"boot": true,
"deviceName": "my-test-instance",
"diskSizeGb": "10",
"guestOsFeatures": [
{
"type": "VIRTIO_SCSI_MULTIQUEUE"
}
],
"index": 0,
"interface": "SCSI",
"kind": "compute#attachedDisk",
"licenses": [
"https://www.googleapis.com/compute/v1/projects/debian-cloud/global/licenses/debian-9-stretch"
],
"mode": "READ_WRITE",
"source": "https://www.googleapis.com/compute/v1/projects/my-test-project/zones/us-central1-a/disks/my-test-instance",
"type": "PERSISTENT"
}
],
"displayDevice": {
"enableDisplay": false
},
"fingerprint": "WY2SwusMoUE=",
"id": "6986067812958818291",
"invocation": {
"module_args": {
"auth_kind": "serviceaccount",
"can_ip_forward": null,
"deletion_protection": false,
"disks": null,
"env_type": null,
"guest_accelerators": null,
"hostname": null,
"labels": null,
"machine_type": null,
"metadata": null,
"min_cpu_platform": null,
"name": "my-test-instance",
"network_interfaces": null,
"project": "my-test-project",
"scheduling": null,
"scopes": [
"https://www.googleapis.com/auth/compute"
],
"service_account_contents": null,
"service_account_email": null,
"service_account_file": "/Users/<user>/Downloads/my-test-project-c7549fc3f4db.json",
"service_accounts": [
{
"email": "[email protected]",
"scopes": [
"https://www.googleapis.com/auth/devstorage.read_only",
"https://www.googleapis.com/auth/logging.write",
"https://www.googleapis.com/auth/monitoring.write",
"https://www.googleapis.com/auth/service.management.readonly",
"https://www.googleapis.com/auth/servicecontrol",
"https://www.googleapis.com/auth/trace.append"
]
}
],
"shielded_instance_config": null,
"state": "present",
"status": "TERMINATED",
"tags": null,
"zone": "us-central1-a"
}
},
"item": "my-test-instance",
"kind": "compute#instance",
"labelFingerprint": "42WmSpB8rSM=",
"machineType": "https://www.googleapis.com/compute/v1/projects/my-test-project/zones/us-central1-a/machineTypes/f1-micro",
"metadata": {
"ssh-keys": "omissis"
},
"name": "my-test-instance",
"networkInterfaces": [
{
"accessConfigs": [
{
"kind": "compute#accessConfig",
"name": "External NAT",
"networkTier": "PREMIUM",
"type": "ONE_TO_ONE_NAT"
}
],
"fingerprint": "eedH4rIkuwQ=",
"kind": "compute#networkInterface",
"name": "nic0",
"network": "https://www.googleapis.com/compute/v1/projects/my-test-project/global/networks/default",
"networkIP": "10.128.0.8",
"subnetwork": "https://www.googleapis.com/compute/v1/projects/my-test-project/regions/us-central1/subnetworks/default"
}
],
"reservationAffinity": {
"consumeReservationType": "ANY_RESERVATION"
},
"scheduling": {
"automaticRestart": false,
"onHostMaintenance": "TERMINATE",
"preemptible": true
},
"selfLink": "https://www.googleapis.com/compute/v1/projects/my-test-project/zones/us-central1-a/instances/my-test-instance",
"serviceAccounts": [
{
"email": "[email protected]",
"scopes": [
"https://www.googleapis.com/auth/devstorage.read_only",
"https://www.googleapis.com/auth/logging.write",
"https://www.googleapis.com/auth/monitoring.write",
"https://www.googleapis.com/auth/service.management.readonly",
"https://www.googleapis.com/auth/servicecontrol",
"https://www.googleapis.com/auth/trace.append"
]
}
],
"startRestricted": false,
"status": "TERMINATED",
"tags": {
"fingerprint": "42WmSpB8rSM="
},
"zone": "https://www.googleapis.com/compute/v1/projects/my-test-project/zones/us-central1-a"
}
ACTUAL RESULTS
ok: [localhost] => (item=my-test-instance) => {
"ansible_loop_var": "item",
"canIpForward": false,
"changed": false,
"cpuPlatform": "Unknown CPU Platform",
"creationTimestamp": "2020-04-21T06:19:23.517-07:00",
"deletionProtection": false,
"disks": [
{
"autoDelete": true,
"boot": true,
"deviceName": "my-test-instance",
"diskSizeGb": "10",
"guestOsFeatures": [
{
"type": "VIRTIO_SCSI_MULTIQUEUE"
}
],
"index": 0,
"interface": "SCSI",
"kind": "compute#attachedDisk",
"licenses": [
"https://www.googleapis.com/compute/v1/projects/debian-cloud/global/licenses/debian-9-stretch"
],
"mode": "READ_WRITE",
"source": "https://www.googleapis.com/compute/v1/projects/my-test-project/zones/us-central1-a/disks/my-test-instance",
"type": "PERSISTENT"
}
],
"displayDevice": {
"enableDisplay": false
},
"fingerprint": "wKws2l_yhiY=",
"id": "7680208216746314805",
"invocation": {
"module_args": {
"auth_kind": "serviceaccount",
"can_ip_forward": null,
"deletion_protection": false,
"disks": null,
"env_type": null,
"guest_accelerators": null,
"hostname": null,
"labels": null,
"machine_type": null,
"metadata": null,
"min_cpu_platform": null,
"name": "my-test-instance",
"network_interfaces": null,
"project": "my-test-project",
"scheduling": null,
"scopes": [
"https://www.googleapis.com/auth/compute"
],
"service_account_contents": null,
"service_account_email": null,
"service_account_file": "/Users/<user>/Downloads/my-test-project-c7549fc3f4db.json",
"service_accounts": [
{
"email": "[email protected]",
"scopes": [
"https://www.googleapis.com/auth/devstorage.read_only",
"https://www.googleapis.com/auth/logging.write",
"https://www.googleapis.com/auth/monitoring.write",
"https://www.googleapis.com/auth/service.management.readonly",
"https://www.googleapis.com/auth/servicecontrol",
"https://www.googleapis.com/auth/trace.append"
]
}
],
"shielded_instance_config": null,
"state": "present",
"status": "TERMINATED",
"tags": null,
"zone": "us-central1-a"
}
},
"item": "my-test-instance",
"kind": "compute#instance",
"labelFingerprint": "42WmSpB8rSM=",
"machineType": "https://www.googleapis.com/compute/v1/projects/my-test-project/zones/us-central1-a/machineTypes/f1-micro",
"metadata": {
"ssh-keys": "omissis"
},
"name": "my-test-instance",
"networkInterfaces": [
{
"accessConfigs": [
{
"kind": "compute#accessConfig",
"name": "external-nat",
"networkTier": "PREMIUM",
"type": "ONE_TO_ONE_NAT"
}
],
"fingerprint": "fOIsyTl-u34=",
"kind": "compute#networkInterface",
"name": "nic0",
"network": "https://www.googleapis.com/compute/v1/projects/my-test-project/global/networks/default",
"networkIP": "10.128.0.9",
"subnetwork": "https://www.googleapis.com/compute/v1/projects/my-test-project/regions/us-central1/subnetworks/default"
}
],
"reservationAffinity": {
"consumeReservationType": "ANY_RESERVATION"
},
"scheduling": {
"automaticRestart": false,
"onHostMaintenance": "TERMINATE",
"preemptible": true
},
"selfLink": "https://www.googleapis.com/compute/v1/projects/my-test-project/zones/us-central1-a/instances/my-test-instance",
"startRestricted": false,
"status": "TERMINATED",
"tags": {
"fingerprint": "42WmSpB8rSM="
},
"zone": "https://www.googleapis.com/compute/v1/projects/my-test-project/zones/us-central1-a"
}
Please note that in the actual result I'm also expecting to see ( just under selflink ):
"serviceAccounts": [
{
"email": "[email protected]",
"scopes": [
"https://www.googleapis.com/auth/devstorage.read_only",
"https://www.googleapis.com/auth/logging.write",
"https://www.googleapis.com/auth/monitoring.write",
"https://www.googleapis.com/auth/service.management.readonly",
"https://www.googleapis.com/auth/servicecontrol",
"https://www.googleapis.com/auth/trace.append"
]
}
],
which is missing
even creating vm using existing service account is not working:
- name: create an instance
gcp_compute_instance:
⦙ state: present
⦙ name: "{{ instance_name }}"
⦙ machine_type: "{{ machine_type }}"
⦙ service_accounts:
⦙ - email: "{{ role_name | regex_replace('_', '-') }}@{{ service_project }}.iam.gserviceaccount.com"
⦙ disks:
⦙ - auto_delete: true
⦙ ⦙ boot: true
⦙ ⦙ source: "{{ disk }}"
⦙ network_interfaces:
⦙ - network: "{{ network_url }}"
⦙ ⦙ subnetwork: "{{ subnet_url }}"
⦙ ⦙ access_configs:
⦙ ⦙ - name: External NAT
⦙ ⦙ ⦙ nat_ip: "{{ address }}"
⦙ ⦙ ⦙ type: ONE_TO_ONE_NAT
⦙ zone: "{{ zone }}"
⦙ project: "{{ service_project }}"
⦙ auth_kind: "{{ auth_kind }}"
⦙ service_account_file: "{{ service_account_file }}"
⦙ deletion_protection: no
⦙ tags:
⦙ ⦙ items:
There is a general behavior where updating parameters in a task does not have any effect on the actual VM. This includes machine_type, service_accounts, tags, etc.
The compute API is a little tricky in that many of the fields are not updated on the resource, but rather updated by a series of custom methods.
Likely a few of those methods have to be wired up. machineType should work though, taking a look there.
edit
It does seem that GCP offers an update API that enables machine_type, so perhaps that's usable instead. I don't know the motivation to use the individual custom methods.
It does seem that GCP offers an update API that enables machine_type, so perhaps that's usable instead. I don't know the motivation to use the individual custom methods.
This endpoint seems to update network tags and service accounts as well.
This endpoint seems to update network tags and service accounts as well.
Then likely it's a field that maybe was introduced in the 2+ years since the module was first written, or a miss :)
I guess we have a sketch toward an approach. I'll try to take a look, but PRs are encouraged and perhaps faster.